Group Policy is an infrastructure that enables you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. For Group Policy settings that affect only a local computer or user, you can use the Local Group Policy Editor. You can manage Group Policy settings and Group Policy Preferences in an Active Directory Domain Services (AD DS) environment through the Group Policy Management Console (GPMC). Group Policy management tools also are included in the Remote Server Administration Tools pack, which provides a way for you to administer Group Policy settings from your desktop. For more information about Group Policy, see the Gruppenrichtlinie (Übersicht).

In Windows Server 2012, you can refresh Group Policy settings, including security settings that are set on a group of remote computers, by using the functionality that is added to the context menu for an organizational unit (OU) in the Group Policy Management Console (GPMC). This functionality schedules a task on all computers in a selected OU, which refreshes the computer and user Group Policy settings.

What value does this change add?

When you troubleshoot Group Policy issues for a specific computer or user, you can run gpupdate.exe to verify that the most current Group Policy settings have been applied. This command-line utility needs to be run on a specific computer. In Windows Server 2012, you can schedule gpupdate.exe to run on multiple computers from the GPMC or from a Windows PowerShell session by using the new Invoke-GPUpdate cmdlet.

What works differently?

Prior to Windows Server 2012, you would have to remote to a specific computer and run gpupdate.exe from the command-line. In Windows Server 2012 you can update Group Policy for all computers in a specific OU and the OUs that it contains. For more information about the new remote Group Policy update feature, see Erzwingen eines Remoteupdates von Gruppenrichtlinien (GPUpdate)

Group Policy Results in Windows Server 2012 includes more information to help determine if a Group Policy setting was applied to a computer or user. If the results do not match the expected results, there is information about why this happened.

What value does this change add?

It is sometimes hard to determine why Group Policy applied the specific policy settings and Preferences. The Group Policy Results report includes the following new information to help you understand why a particular Group Policy result was achieved:

Whether the connection was determined to be a slow link or fast link

Whether block inheritance has been set

Whether loopback has been set

The processing time for each client-side extension

The GPO name is now displayed with each Group Policy setting and preference item. This identifies which is the winning GPO for a particular policy setting or preference item.

What works differently?

The following applicable conditions are displayed on the Group Policy Results Summary tab:

If a slow link or fast link is detected

If block inheritance is set

If loopback is enabled

The Group Policy Results Details tab displays:

The OU that contains the computer or user.

The Component Status section displays the amount of time each client-side extension took to process and the last time each client-side extension processed.

The Component Status section provides a link in the Event Log column that displays the event log messages from the last Group Policy refresh. This functionality is equivalent to the information that is returned from the GPLogview.exe utility.

The Winning GPO name is displayed in a table with each Policy setting name and the value that is set for each policy setting and preference item.

Wichtig

To view the Group Policy Results for a specific computer, the following firewall rules must be set on each client computer to allow the following connections:

Remote Event Log Management (NP-IN)

Remote Event Log Management (RPC)

Remote Event Log Management (RPC-EPMAP)

Windows Management Instrumentation (WMI-IN)

If you do not want to allow the connections on computers, you can also run Gpresult.exe /h<filename.html> from the command line on the each local computer, where filename.html is the name of a file to which Gpresult writes the output.

Display the status of Active Directory and SYSVOL replication as it relates to all Group Policy Objects or a single Group Policy Object.

What value does this change add?

Group Policy relies on being stored and replicated to all domain controllers in a domain. There can be a lag time after a change is made on one domain controller before the change is replicated to all other domain controllers. Until changes to a GPO are replicated to the domain controller that a client computer is accessing, that computer will receive the earlier version of the GPO during Group Policy refresh. In earlier versions of the Windows operating system, administrators had to download GPOtool.exe to diagnose these issues.

What works differently?

In Windows Server 2012, you no longer need to download and run a separate tool for monitoring and diagnosing replication issues related to Group Policy at the domain level. Potential differences that can be viewed by using the Group Policy infrastructure status are:

Active Directory and SYSVOL security descriptor (ACL details)

Active Directory and SYSVOL GPO version details

Number of GPOs listed in Active Directory and SYSVOL for each domain controller

Local Group Policy is available for Windows RT. It is off by default, but can be turned on by the local administrator.

What works differently?

For Windows RT devices, the Group Policy Client service is disabled by default. The Group Policy Client service must be set to Automatic and started by the administrator before Group Policy is processed on the device.

More control to determine if the network connection should be processed as a slow link improves the sign-in experience for users by allowing users to sign-in faster.

What works differently?

For DirectAccess connections, when the network connection speed cannot be determined, Group Policy processing defaults to slow-link mode. During sign-in, if a slow link is detected, Group Policy automatically switches to asynchronous processing. A new policy setting enables administrators to configure all 3G connections so that they are treated as a slow link. To disable 3G slow-link connections, select the Always treat WWAN connections as a slow link check box after you have enabled the Configure Group Policy slow link detection policy setting.

Hinweis

The Configure Group Policy slow link detection policy setting is located under Computer Configuration\Policies\Administrative Templates\System\Group Policy in the Group Policy Management Editor.

Automate the remote Group Policy update by using the new Invoke-GPUpdate cmdlet.

Hinweis

Group Policy cmdlets can also run on the Server Core installation option.

What value does this change add?

The new Invoke-GPUpdate cmdlet provides more functionality than applying remote Group Policy update through the GPMC interface. For example, the Invoke-GPUpdate cmdlet enables you to refresh computers located in the default computer container, while the remote Group Policy update functionality in the GPMC enables you to remotely refresh only computers that are located in an OU.

On a Server Core installation, you can manage GPMC functionality by using Group Policy cmdlets. This provides you with more flexibility for managing Group Policy.

The Get-GPPermissions cmdlet and the Set-GPPermissions cmdlet are renamed to the singular form: Get-GPPermission and Set-GPPermission. Both cmdlets have aliases for their previous names to support backward compatibility.

An increase in the maximum size allowed for registry.pol enables faster downloads of registry.pol files from domain controllers.

What value does this change add?

With this change, there should be very few situations where the maximum size of the registry.pol file restrains administrators from adding new Administrative Template settings to a GPO. With the faster download of registry.pol files, Group Policy processing should increase.

What works differently?

The registry.pol file maximum size is increased to 100 MB. The Group Policy processing has been changed to read larger amounts of data from a registry.pol file when processing the Administrative Template settings. This change results in less network access for reading the registry.pol file from the domain controller, which speeds up Group Policy processing.

The Group Policy Client service will sleep when the Group Policy service is idle for more than 10 minutes.

What value does this change add?

Group Policy processes approximately every 90 minutes, by default. Setting the Group Policy Client service to sleep in between processing helps create better performance for client computers.

What works differently?

Group Policy background refresh starts as a scheduled task, not as a service that continuously checks to determine when it is time to run the background refresh. The scheduled task model requires less overhead processing, which creates better performance for client computers.

The Internet Explorer Maintenance (IEM) snap-in is replaced by the Internet Explorer 10 preference extension. Administrators can use the Internet Explorer 10 preference extension or the Internet Explorer Administration Kit (IEAK) to configure Group Policy settings. Information about the Internet Explorer 10 preference extension can be found at:

The following features and functionalities have been removed from this release of Group Policy. Applications, code, or usage that depends on these features will not function in this release unless you employ an alternate method. For more information about removed or deprecated functionality in this release, see Features Removed or Deprecated in the Windows Server 2012.

The Immediate Task preference item no longer supports the following actions: